Opened 6 years ago

Closed 6 years ago

#30561 closed New feature (invalid)

Time for peppering user passwords in Django?

Reported by: linluc Owned by: nobody
Component: Uncategorized Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by linluc)

Peppering passwords has been a controversial topic widely discussed in many stack overflow questions. Having ran my 20+ personal email addresses through HIBP page the findings are clear: all emails/passwords of mine that had been leaked fall in the following categories: SQL injections, mis-configured databases, exposed database admin panels or strayed database backup files.

And that’s exactly what a pepper value in the hashing process is protecting from. Breaching the whole server with physical access to the file system is rather rare nowadays.

According to this NIST document [ Digital Identity Guidelines Authentication and Lifecycle Management]

https://pages.nist.gov/800-63-3/sp800-63b.html :

“In addition, verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier.”

So, why not in Django?

Change History (2)

comment:1 by linluc, 6 years ago

Description: modified (diff)
Last edited 6 years ago by linluc (previous) (diff)

comment:2 by Carlton Gibson, 6 years ago

Resolution: invalid
Status: newclosed

This is a discussion topic for the DevelopersMailingList.

Note: See TracTickets for help on using tickets.
Back to Top